More on Aitel’s “Fallacies of Cyberwar” and Their Larger Implications

Dave Aitel of Immunity delivered a talk at the 20th USENIX Security Symposium, which built on the in-progress talk I discussed here and here. It is worth watching and attempting to understand. This is not a 100% endorsement, but there are a few lessons here that transcend the so-called “cyber” domain and apply to strategic thinking about technology in some really profound ways.

The first is the fact that attackers win and defenders loose is not a feature of cyber war but because the attackers have a better strategy. To start, Aitel attributes lays out a number of defenders’ excuses for why attackers are winning: inadequate resources, attackers “only have to be right once,” users are easy targets, etc. Aitel continues, “They keep saying its asymmetric, because they made a strategic choice and lost.” This goes to Rupert Smith’s point about asymmetric warfare–that it is a phrase “invented to explain a situation in which conventional states were threatened by unconventional powers but in which conventional military power would be able of both deterring the treat and responding to it.”* Rather than challenge the strategy, defenders have redefined the environment to allow for their failure.

Secondly, this poor strategy comes from cultural and technological weaknesses–and technological weaknesses are really cultural weaknesses. This is a case I have been trying to make for the last four years on everything from small arms design to cyber war, but Aitel does it with superior technological knowledge and better smart ass commentary.** In terms of “cyber warfare,” Aitel says defenders are unwilling to say no to insecure systems or designs (e. g. most browsers and SSL VPNs, he argues). This itself is not very shocking. Spend one day as an IT consultant with an interest in security, and you will get push-back when you ask users to change their behavior. Aitel goes further and says that the whole process–the whole human process–for designing and implementing security is broken. As I wrote at the council, “After all, when someone writes an exploit or takes advantage of some misconfiguration in a network to gain or deny access, they are attacking humans and human processes ultimately. The medium–a wireless network, an embedded device, whatever–is inconsequential.” I point this out, because it is relatively easy for me to say this; my technological understanding of offensive techniques is modest at best, and attacking networks (much less making attack platforms) is not my business. Aitel is in the business of finding, writing, and selling exploits–and he’s telling you he’s winning because the way humans approach security is broken, not because of some whiz-bang widget.

On the opposite side of this human equation, attackers are, as Aitel says, “mature, self-organizing, [and] highly motivated.” Do you think government’s recent approach to USCYBERCOM, etc. is “mature?” Government functionaries are still waiting on wonks to hand them a piece of doctrine that will most likely be wrong before they act. It reminds me of what Boyd said: “[I]f you have one doctrine, you’re a dinosaur.” We are standing up dinosaurs, and this is a fundamental cultural problem.

What concerns me more is how these cultural problems transcend this “cyber” domain. Do we have our money invested in the right technology in terms of engaging near-peer competitors whether its another aircraft carrier vulnerable to ASBM attack or some other high dollar system? Do we examine flaws in human processes throughout Defense like the failures to address insider threats like Nidal Hasan or Bradley Manning? How does, say, our strategy in Afghanistan rate in terms of maturity compared to that of the Taliban?

I would still like to see his talk written up into a larger work, but it is well worth the effort for defenders–no matter what the domain–to consider Aitel’s challenge: “Attackers win because they have better strategy. The problem is not intractable.” Now, as Big Boi once quipped, “Go on and marinate on that for a minute.”

** – For example, “Why are these browsers not written in Java? Why is that? It’s retarded.” This is the hacker equivalent of Boyd saying, “I’ve never built an airplane before, but I could fuck up and do better than this.” I’m not 100% certain about Java, but I love this comment.

“If by chance you were to ask me which ornaments I would desire above all others in my house, I would reply, without much pause for reflection, arms and books.”
—Fra Sabba da Castiglione, Knight of St. John